Slashdot Mirror
Italian ISP Hides Data Acquisition by Police
jaromil writes "It happened recently in Italy: the provider Aruba lied to a customer calling "power loss" a police action to acquire all data contained in the harddisks of the AUT/INV collective,
keeping it secret for a whole year, while more than 30.000 people used its encrypted services for private comunications."
The submitted summary is an incoherent run on sentence. If the article is important the editors should have take the time to re-write the user submitted summary. When Slashdot started that is what the editors did.
Yes , that's not the problem though.
The problem is they didn't later inform the other perhaps 29,999 people that they also had their data and privacy compromised.
Not to mention the whole issue of taking their data in the first place
The only things certain in war are Propaganda and Death. You can never be sure which is which though
The point of encrypted email is you don't have to trust your ISP, or anyone, except the intended recipient.
If you are trusting some upstream service to do the encryption it sorta defeats the purpose, as this example points out.
Are there US compnies or laws that will make me more secure?
No one can make you secure, except yourself.
I've had enough abrasive sigs. Kittens are cute and fuzzy.
We always suspected that they [the isp Aruba] weren't trustworthy...
Why did they think their system was secure?
This article highlights why physical security is so important. Cryptography is a work around for poor physical security. It is not a replacement. As the server held encryption keys the security of the system was completely dependant on the physical security of that server.
Unfortunately this group hasn't learned their lesson:
We will, as soon as possible, reactivate all the services on a new server, cleaned and sanitized, hosted by a different provider.
This service will still be susceptible to the very same attack.
Criminals? Interesting conclusion to draw. Because they were "wiretapped", they must have been committing some crime.
Actually, Italy has a long history of repressive search and seizure laws that go far beyond what would be considered okay in the US. I am curious to know if they had a warrant for any information that could have been in traffic passing through the server, or it was just some fishing expedition.
Ceci n'est pas un post
If that isn't a "power loss" I don't know what is. This is an answer worthy of the Oracle at Delphi.
Even if Austici used SSL keys with a passphrase Aruba could have still compromised the SSL software to copy all of the unencrypted data.
The ISP Aruba was much more then an ISP hosting a server machine. Aruba was also providing the physical security of the server. Aruba had physical access to the server, the encryption keys, the encryption software, and the clear text data. Austici had to trust Aruba for the security of the entire system. If Austici wants a secure system they must keep the encryption physically secure. Usually this requires that the servers are in a location that they control and monitor.
It seems that Autistici/Inventati server hosted files about a trial that involve italian police abuses during Genoa G8...
I am still trying to figure out waht this means: Aruba lied to a customer calling "power loss"
It appears the police raid was made and no one bothered to tell the responsible for the servers that an investigation/seizing of data was being made.
Disruption of service occurred, and the phone calls by costumers were answered with technical excuses, instead of telling the truth.
This is what italian webpress says.
Note also that 30000 accounts, personal data, crypto keys, was seized because one single hosted site was under investigation.
---- MISSING MISCELLANEOUS DATA SEGMENT --- [sigdash] trolololol